Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Researchers at Seculert have uncovered what could be evidence of a link between the Mahdi malware and the infamous Flame malware discovered earlier this year.

Though no strong connections have been found between the Flame and Mahdi campaigns, a small clue may have been unearthed in the code, according to Seculert,

"For each victim, the Mahdi malware assigns a unique identifier, which is used by the C&C server to identify which targeted entity it is communicating with," according to Seculert. Part of this unique identifier is a prefix, which is used to help spread the targeted entities between the members of the attacking group and allow them to identify and manage a bulk of targeted entities."

One of the prefixes used by targeted organizations to communicate with three of the four command-and-control (C&C) servers is "Flame."

Further reading

"The first targeted victim with the 'Flame' prefix began communicating with the C&C server in early June, right after the Kaspersky Lab discovery of Flame went public," the firm noted. "Coincidence? Maybe. Another interesting thing to note is that some of the prefixes end with coffinet. These include: Chabehar, Iranshahr, Khash, Nikshahr, Saravan, Zabol, all of which are cities and counties located in the southeast region of Iran."

The malware, which is also spelled Madi, appears to have entered a more sophisticated phase. According to Kaspersky Lab, a newer variant of the malware has been spotted with additional capabilities. The new version, which Kaspersky researcher Nicolas Brulez reported, was compiled July 25.

"Following the shutdown of the Madi command-and-control domains last week, we thought the operation is now dead," he blogged. "Looks like we were wrong."

The new variant has the ability to monitor Jabber conversations as well as the Russian social network VKontakte. In addition, it looks for people who visit pages containing "USA" and "GOV" in their titles, he wrote. Other targeted keywords include "MSN Messenger," "Facebook" and "Gmail."

"In such cases, the malware makes screen shots and uploads them to the C2 [command-and-control server]," he explained.

"Perhaps the most important change," he continued, "is the info stealer no longer waits for commands from the C2instead, it simply uploads all stolen data to the server right away.

The variant uploads data to a command-and-control server located in Montreal, Canada, he noted. Other Mahdi command-and-control servers have also been located in Canada and Tehran.

Previously, researchers at Seculert and Kaspersky used a sinkhole to identify 800 victims who had communicated with four command-and-control servers. The majority of the victims were in Iran. Many of the victims were found to be business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle East engineering students or various government agencies in the region. All totaled, multiple gigabytes of data are believed to have been uploaded from victims' computers, researchers have said.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.